Apache Releases Security Update for HTTP Server

DESCRIPTION:
The Apache Software Foundation has released Apache HTTP Server 2.4.52.
Reference:https://downloads.apache.org/httpd/Announcement2.4.html

CVE-2021-44790 (CVSS score: 9.8- CRITICAL) -A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-44224 (CVSS score: 8.2- HIGH) – A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or,
for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

IMPACT:

Apache HTTP Server 2.4.52 version addresses vulnerabilities CVE-2021-44790 and CVE-2021-44224 one of which may allow a remote attacker to take control of an affected system.

RECOMMENDATIONS:
Updates are available. Please see the references or vendor advisory for more information.

REFERENCES:
http://httpd.apache.org/security/vulnerabilities_24.html
https://downloads.apache.org/httpd/Announcement2.4.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44790
https://nvd.nist.gov/vuln/detail/CVE-2021-44224

Published: 23 December 2021, 13:41:18 BST